{
	"id": "9c3db7f9-ac54-4300-8450-a8031cd10629",
	"created_at": "2026-04-06T00:17:40.249692Z",
	"updated_at": "2026-04-10T03:24:29.445693Z",
	"deleted_at": null,
	"sha1_hash": "9f22d252cd2652396b408010da2b21f962c8ca5e",
	"title": "GoatRAT Attacks Automated Payment Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 743910,
	"plain_text": "GoatRAT Attacks Automated Payment Systems\r\nPublished: 2023-03-30 · Archived: 2026-04-05 14:12:12 UTC\r\nRecently, we came across a detection in our telemetry report named “com.goatmw” which gained our attention.\r\nWe decided to investigate further and the malware was found to be a banking trojan. \r\nGoatRAT banking trojan is an Android Remote Administration Tool to gain access and control targeted devices\r\nwhich carries out fraudulent money transactions using PIX key. The domain goatrat[.]com (Fig.1) serves as the\r\nadmin panel (which is not live as of writing this blog) and contains telegram ids in its contact (Fig.2 and Fig.3).\r\n Fig.1: Admin Panel (goatrat[.]com)\r\nFig.2: Telegram ID \r\nhttps://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nPage 1 of 5\n\nFig.3: Telegram ID \r\nTechnical Analysis\r\nOnce “com.goatmw” is  installed, the malware initiates a service named “Server” (Fig.4) which establishes contact\r\n(Fig.5) with the C2 server (Fig.6) to obtain the PIX Key required to carry out fraudulent transactions. \r\nFig.4: Service is initiated\r\n Fig.5: Establishes connection to C2\r\n   Fig.6: C2 server\r\nPIX key is used to make instant money transfer and is generated by encrypting personal data such as Taxpayer ID\r\nnumber (CPF for individuals, CNPJ for companies) telephone number and email address (Fig.7).\r\nhttps://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nPage 2 of 5\n\nFig.7: PIX Key\r\nThe RAT then requests users to grant accessibility and overlay permission (Fig.8). Overlay permission enables it\r\nto present an overlay screen on targeted banking applications, making it look like a legitimate app’s screen so that\r\nthe user enters their valid credentials without suspecting, which is then used to perform fraudulent money\r\ntransfers.\r\n           Fig.8: Permissions requested\r\nThis malware targets certain Brazilian banks (Fig.9). When the user opens a banking application it checks the\r\npackage name with the targeted banking application’s package name.\r\nFig.9: Targeted banks\r\nWhen the targeted application is opened, the malware displays an overlay window that appears above the\r\nlegitimate banking application (Fig.10). This overlay screen gets all the valid credentials and sends it to C2 and it\r\ninitiates the money transfer based on the bank balance available (“Saldo disponivel” – balance available) in the\r\nuser’s account (Fig.11).\r\n   Fig.10: Add Overlay screen\r\nhttps://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nPage 3 of 5\n\nFig.11: Balance available\r\nOnce the malware takes control, it requests a PIX key to initiate transfer (Fig.12). The malware then enters the\r\namount and PIX key to enable the money transfer and executes the clicks and confirmation automatically “Pagar”-\r\nPay, “CONFIRMAR” – Confirm (Fig.13), from the user logged in bank account without the user’s knowledge.\r\nFig.12: Request PIX key\r\n  Fig.13: Confirm and Pay\r\nOnce the money transfer is done using PIX key, the malware removes the overlay window from the targeted\r\nlegitimate application (Fig.14).\r\nFig.14: Removes Overlay \r\nhttps://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nPage 4 of 5\n\nAndroid Banking Trojans are increasing rapidly. Malware authors are finding new techniques to steal money from\r\nthe users. One such technique was seen exploiting the PIX instant payment platform targeting Brazilian banks.\r\nThis GoatRAT uses the ATS framework to carry out fraudulent money transactions. ATS is an Automated Transfer\r\nSystem, a new technique employed by banking malware wherein once the user logs in to a banking app and enters\r\ntheir credentials, the malware would take control and automatically enter the amount and initiate the transaction\r\nwithout the user’s knowledge. We protect users from all these threats. Users are requested to install a reputable\r\nsecurity product such as “K7 Mobile Security” and keep it updated to stay safe from such threats.\r\nIOCs\r\nPACKAGE_NAME DETECTION_NAME APK_MD5\r\ncom.goatmw Trojan(0001140e1) ba5833b49e2c6501f5bbce90b7948a85\r\nTargeted banking applications \r\nbr.com.intermedium\r\ncom.nu.production\r\nbr.com.uol.ps.myaccount\r\nSource: https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nhttps://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/"
	],
	"report_names": [
		"goatrat-attacks-automated-payment-systems"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f22d252cd2652396b408010da2b21f962c8ca5e.pdf",
		"text": "https://archive.orkl.eu/9f22d252cd2652396b408010da2b21f962c8ca5e.txt",
		"img": "https://archive.orkl.eu/9f22d252cd2652396b408010da2b21f962c8ca5e.jpg"
	}
}